security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4ffdc46ba7ed68ce75bcdb520272c81f2bf64c20
sigma-rules/rules/windows/execution_command_prompt_connecting_to_the_internet.toml
T
Justin Ibarra be08536880 Increase lookback for endpoint rules (#200)
2020-08-21 12:23:43 -05:00

62 lines
1.6 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/02/18"
ecs_version = ["1.5.0"]
maturity = "production"
updated_date = "2020/08/03"
[rule]
author = ["Elastic"]
description = """
Identifies cmd.exe making a network connection. Adversaries could abuse cmd.exe to download or execute malware from a
remote URL.
"""
false_positives = [
"""
Administrators may use the command prompt for regular administrative tasks. It's important to baseline your
environment for network connections being made from the command prompt to determine any abnormal use of this tool.
""",
]
from = "now-9m"
index = ["winlogbeat-*", "logs-endpoint.events.*"]
language = "kuery"
license = "Elastic License"
name = "Command Prompt Network Connection"
risk_score = 21
rule_id = "89f9a4b0-9f8f-4ee0-8823-c4751a6d6696"
severity = "low"
tags = ["Elastic", "Windows"]
type = "query"
query = '''
event.category:network and event.type:connection and
process.name:cmd.exe and
not destination.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1059"
name = "Command-Line Interface"
reference = "https://attack.mitre.org/techniques/T1059/"
[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1105"
name = "Remote File Copy"
reference = "https://attack.mitre.org/techniques/T1105/"
[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"
Reference in New Issue View Git Blame Copy Permalink